Kape Technologies, a former malware distributor that operates in Israel, has now acquired four different VPN services and a collection of VPN “review” websites that rank Kape’s VPN holdings at the top of their recommendations. This report examines the controversial history of Kape Technologies and its rapid expansion into the VPN industry.
As is normal in the tech industry, the VPN world is undergoing some major changes and consolidation. The most recent example of this is with ExpressVPN, which announced plans this week to be acquired by Kape Technologies. While this may come as a surprise to many people, it is nothing new in the industry. In fact, Kape has been on a VPN buying spree since 2017.
Unfortunately, many VPN users remain oblivious about the real owners of the VPN they are using as well as the questionable history behind some of these entities. This in-depth report intends to reveal the details for all to see. Here’s what we’ll cover:
- Kape (formerly Crossrider) was a distributor of malware and adware
- The people behind Kape and Crossrider
- Crossrider begins purchasing VPN services, then changes name to Kape Technologies
- Kape purchases a collection of VPN “review” websites, then changes the rankings
- The future of Kape’s VPN ventures
To get a better understanding of the situation, we must first examine the history of Kape.
Kape (formerly Crossrider) was a distributor of malware and adware
Before 2018, Kape Technologies was called Crossrider and it was an infamous player in the malware industry. You can still find numerous articles about Crossrider’s malware and adware infecting various devices.
Below is an excerpt from a Malwarebytes article that discussed how Crossrider malware infected devices through software bundles:
Crossrider offers a highly configurable method for its clients to monetize their software. The common method to infect end-users is software bundlers. The installers usually resort to browser hijacking. Targeted browsers are Internet Explorer, Firefox, Chrome, and sometimes Opera. Crossrider not only targets Windows machines but Macs as well.
PUP.Optional.Crossrider installs are typically triggered by bundlers that offer software you might be interested in and combine them with adware or other monetizing methods.
In studying Crossrider’s business, it appears that Crossrider profited from infecting devices with malware, which would then use browser hijacking to direct traffic to partner advertisers. This pernicious line of work earned Crossrider a notorious reputation. This business model goes hand-in-hand with data collection, while also abusing the privacy and security of the end-user who suffered the misfortune of being infected with Crossrider malware.
Note: Crossrider malware was still wreaking havoc as late as August 2019. This is about two years after the purchase of CyberGhost VPN and the initial promise to refocus on user privacy. Another post from Malwarebytes explains how Crossrider malware was infecting devices in 2018:
Persistence is the goal of most malware. After all, what good is it to infect a machine if the malware stops running as soon as the computer restarts? There are some cases where that can still be useful (ransomware, for example), but in most cases, that’s not desired behavior. So malware creators are often stuck using the same old methods of persistence that are easy to spot. Sometimes, though, they get creative.
Infection method– Malwarebytes article from 2018
This new Crossrider variant doesn’t look like much on the surface. It’s yet another fake Adobe Flash Player installer, looking like the thousands of others we’ve seen over the years.
Opening the installer results in a familiar install process, with nothing unique about it. In the course of installation, it dumps a copy of Advanced Mac Cleaner, which commences to announce that it has found problems with your system using Siri’s voice. (No such problems actually exist, of course.) Safari also pops open and then closes again suspiciously. This is all very blasé, as far as malware goes.
But something interesting has happened behind the scenes. After removing Advanced Mac Cleaner, and removing all the various components of Crossrider that have been littered around the system, there’s still a problem. Safari’s homepage setting is still locked to a Crossrider-related domain, and cannot be changed.
Note: I have not seen any evidence suggesting that Kape is still in the adware/malware business as of today (September 2021).
Now that we’ve examined the business operations of Kape/Crossrider, let’s look at the leadership.
The people behind Kape and Crossrider
The main person behind Kape is Teddy Sagi, an Israeli billionaire who previously spent time in jail for insider trading. Sagi earned much of his wealth from a gambling company called Playtech. Sagi acquired Kape Technologies in 2012 and led it to be a major player in the malware and adware industry.
The other key figure behind Kape is Koby Menachemi. Forbes wrote a good article on Menachemi, detailing his ties to Israeli intelligence and cyber espionage.
Forbes noted the ties that Kape had to Israeli state surveillance entities:
A vast number of companies are affiliated with ad injectors, either packaging their tools or funnelling ads down to them. One of the biggest is Crossrider, the majority stake of which is held by billionaire Teddy Sagi, a serial entrepreneur and ex-con who was jailed for insider trading in the 1990s. His biggest money maker to date is gambling software developer Playtech. Co-founder and CEO Koby Menachemi was part of Unit 8200, where he was a developer for three years.
What went unnoticed, until now, is that most of the searchable organisations involved in this potentially dangerous business are based in Israel. They also happen to have links to the nation’s military and its top signals intelligence agency, the Israeli equivalent of the NSA or GCHQ: Unit 8200, which works out of the Israel Defense Forces (IDF).
Interestingly, we also just learned that ExpressVPN’s CIO, Daniel Gericke, also has ties to state surveillance activities. According to Reuters, Gericke and two others, “admitted to violating U.S. hacking laws and prohibitions on selling sensitive military technology” to the United Arab Emirates. According to reports, this “sensitive military technology” helped the UAE spy on dissidents and human rights activists.
“Hackers-for-hire and those who otherwise support such activities in violation of U.S. law should fully expect to be prosecuted for their criminal conduct,” Acting Assistant Attorney General Mark J. Lesko for the Justice Department’s National Security Division said in a statement.
Make of this situation what you will. However, keep in mind that when you use a VPN, you are trusting the service to handle all of your internet traffic and not do anything questionable in the background.
Crossrider begins purchasing VPN services, then changes name to Kape Technologies
Now that you understand the background and leadership behind Kape Technologies, let’s examine its involvement in the VPN industry.
2017: Crossrider purchases CyberGhost VPN for $10 million
Crossrider’s first big VPN acquisition was in March 2017 when it purchased CyberGhost VPN for about $10 million. Originally founded in 2004, CyberGhost was a big player in the industry that experienced rapid growth before it was acquired.
2018: Crossrider changes name to “Kape”
Sometime in 2018, Crossrider decided to change its name to “Kape Technologies” as part of a rebranding effort. Ido Erlichman, the CEO of Kape, admitted that the name change was an attempt to distance Kape from controversial “past activities”:
The decision to rename the company, explains Erlichman was due to the strong association to the past activities of the company as well as the need to enhance the consumer facing brand for the business.
CyberGhost also admitted in a blog post that Crossrider was an “ad tech” company that did the “opposite” of what CyberGhost does (privacy and security):
While CyberGhost focused on privacy and security from day one, Crossrider started out as a company that distributed browser extensions and developed ad tech products. Quite the opposite of what we did.
2018: Kape purchases Zenmate VPN for $5 million
Not being content with just one VPN service, Kape then moved on to purchase Zenmate VPN, based in Germany, for around $5 million.
2019: Kape purchases Private Internet Access for $127 million
The next acquisition came in 2019 when Kape purchased Private Internet Access (PIA) for $127 million in cash and shares. At the time, PIA was a major player in the VPN industry with a substantial user base.
We wrote an article about it back in 2019 and described how many PIA users were upset about the acquisition and did not trust Kape. This screenshot from a PIA user on the PIA subreddit summarizes the situation in a few words.
But the acquisitions were not over…
2021: Kape purchases ExpressVPN for $936 million
The latest major VPN acquisition we have for Kape Technologies is ExpressVPN, which it purchased for nearly $1 billion. This is by far the largest VPN acquisition to date and a major addition to Kape’s portfolio.
Watching this same story play out over and over again over the past four years is kind of like Groundhog Day. We generally find two reactions, with the user base being upset and the acquired VPN trying hard to calm everyone down.
- ExpressVPN users largely seem upset by the news.
- ExpressVPN issues canned statements and press releases along the lines of “Don’t be alarmed, everything is good!”
Let’s see how many more times this same story plays out with future VPN acquisitions.
Kape purchases a collection of VPN “review” websites for $149 million, then changes the rankings
In another twist to the plot, Kape Technologies also purchased a collection of VPN review websites in 2021. Yes, you got that right. The parent company that owns these VPNs now also owns a few high-profile websites that “review” and recommend VPNs to users around the world.
This is clearly a conflict of interest, but that goes without saying.
In May 2021, news broke that Kape had purchased a company called Webselenese. Like Kape, Webselenese also operates out of Israel and runs the websites vpnMentor.com and Wizcase.com. Collectively, these two websites have monthly search traffic of around 6.1 million visitors according to Ahrefs traffic analysis tool (September 2021).
Note that there may be other VPN review websites in Kape’s portfolio that we’re not aware of.
Visiting vpnMentor’s homepage today, we find that the parent company’s three large VPN services all hold the top 3 spots in the rankings of the best VPNs for 2021.
Wizcase.com: Similarly, we find the exact same top 3 rankings on Kape’s other website Wizcase.com.
Just a few months ago, both vpnMentor and Wizcase had NordVPN and Surfshark in their top rankings. However, since Kape purchased these websites, we see significant rankings changes that give all of the top 3 spots to Kape’s own VPN companies.
The future of Kape’s VPN ventures
If the past is an indication of the future, Kape will continue to expand its holdings in the cybsersecurity and VPN industry, which only continues to grow. Perhaps in the not-so-distant future, this conglomerate of VPNs and VPN review websites will be spun off and potentially sold as its own company.
In the meantime, there are now millions of VPN subscribers who fall under Kape’s ownership and control. Unfortunately, none of Kape’s VPNs that I have tested have been stand-out performers. The one exception would be ExpressVPN, but it too has fallen behind in the past year and dropped a few spots in our rankings, which will be updated soon to reflect these developments and the latest tests.
Hopefully, this trend in consolidation will slow down as it gives the end-user fewer choices with independently-owned VPN services.